Hello Dawn -
On Tue, 19 Oct 1999, Dawn Lovell wrote:
> Now that our previous configuration errors have been corrected (Thank
> you, Hugh!), I have another one. :-) We have a (unix) group of userids
> for which we would like the accounting information written to a separate
> detail file. The machine on which we're trying this is running 2.14.1
> on Solaris 7.
>
> Can "Group=" be used in a Handler definition? Is there a better way to do
> this? Our current configuration (which doesn't work :-) is shown below.
>
No, this won't work as the Handler is looking for an attribute in the incoming
Access-Request packet. And I've forwarded some mail to Mike to let him know
about this configuration crashing Radiator. It shouldn't!
> AuthPort 1812
> AcctPort 1813
> LogDir /var/adm/radacct
> DbDir /etc/raddb
> SnmpgetProg /usr/local/bin/snmpget
> <SessionDatabase DBM>
> Filename %D/online
> </SessionDatabase>
> ...
> <<Client localhost>
> Secret <not shown>
> DupInterval 300
> </Client>
> ...
> <<AuthBy UNIX>
> Identifier System
> Filename /etc/shadow
> DefaultSimultaneousUse 1
> </AuthBy>
> <Handler Group=trial>
> <AuthBy FILE>
> # The filename defaults to %D/users
> </AuthBy>
> AcctLogFileName %L/trial/detail
> </Handler>
> <Handler>
> <AuthBy FILE>
> # The filename defaults to %D/users
> </AuthBy>
> AcctLogFileName %L/%N/detail
> </Handler>
>
> We were hoping that this would cause users in the "trial" group to be
> logged to one file and everyone else to be logged normally. With this
> configuration, radpwtst (radpwtst -auth_port 1812 -acct_port 1813 -secret
> <not shown> -user testuser -password <not shown>) gives the following
> errors.
I think I need to know a little bit more about what is in your "users" file,
shown above, as well as what form your usernames are and what makes them part
of the trial group other than the UNIX group file? ie - do they dial into a
different phone number? do they have a username of the form
[EMAIL PROTECTED]? In other words, how can we distinguish who they are
by the contents of the incoming packet. Otherwise, we will have to use a
PreClientHook or a PreHandlerHook to massage the packet prior to passing it to
the relevant Handler (which is going to be messy if we have to check the UNIX
group file). Hopefully we can come up with something a little more elegant.
Of course, you could always do something completely different like:
# Configure accounting to an SQL database or whatever
# Do accounting by UNIX group, etc. during post-processing
<Handler Request-Type = Accounting-Request>
<AuthBy SQL>
AccountingTable ...
AcctColumnDef ...
...
</AuthBy>
</Handler>
cheers
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8,
NT, Rhapsody
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
